What do you do if you are setting up a new Runbook in Azure Automation and get a message similar to:
“Cannot validate argument on parameter ‘Subscription.’ The argument is null or empty.”
And this is a new managed identity, or maybe the first time using the identity?
Looking at the roles assigned to a new System Assigned Managed Identity, we can see that all the RBAC roles are from Azure AD. Remember, the subscription and Azure AD are different scopes for RBAC roles. By default, a new System or User Managed Identity does not have rights to the subscription.
The default settings have no Subscription level rights. Because of that, no subscription value returns when the Connect-AzAccount -Identity command runs to authenticate the runbook with the managed identity. We can verify that with the output from the $AzureContext variable used to authenticate the runbook.
The fix is easy, assign the managed identity a role in the subscription. Odds are, you intend to do that anyway. After all, why log in with the managed identity if it’s not going to interact with the subscription?
Once we assign a role in the subscription, the login context will have a subscription to add.